Provided are techniques for receiving a packet transmitted in conjunction with a security association associated with internet Protocol security (ipsec); determining, based upon the security association that the packet is faulty; incrementing a count corresponding to previous faulty packets received; determining that the count exceeds a threshold; and disabling ipsec accelerator hardware in response to the determining that the count exceeds the threshold.
|
8. A computer programming product, comprising:
a non-transitory computer-readable storage medium (CRSM); and
logic, stored on the CRSM for execution on a processor, for:
receiving a packet transmitted in conjunction with a security association associated with internet Protocol security (ipsec);
determining, based upon the security association that the packet is faulty;
incrementing a count corresponding to previous faulty packets received;
determining that the count exceeds a threshold; and
disabling ipsec accelerator hardware in response to determining that the count exceeds the threshold.
1. An apparatus, comprising:
a processor;
a computer-readable storage medium (CRSM) coupled to the processor; and
logic, stored on the CRSM and executed on the processor, for:
receiving a packet transmitted in conjunction with a security association associated with internet Protocol security (ipsec);
determining, based upon the security association that the packet is faulty;
incrementing a count corresponding to previous faulty packets received;
determining that the count exceeds a threshold; and
disabling ipsec accelerator hardware in response to the determining that the count exceeds the threshold.
15. A network adapter, comprising:
a processor;
an ipsec accelerator hardware;
a computer-readable storage medium (CRSM) coupled to the processor; and
logic, stored on the CRSM and executed on the processor, for:
receiving a packet transmitted in conjunction with a security association associated with internet Protocol security (ipsec);
determining, based upon the security association that the packet is faulty;
incrementing a count corresponding to previous faulty packets received;
determining that the count exceeds a threshold; and
disabling the ipsec accelerator hardware in response to the determining that the count exceeds the threshold.
2. The apparatus of
3. The apparatus of
4. The apparatus of
5. The apparatus of
6. The apparatus of
7. The apparatus of
enabling the ipsec accelerator hardware in response to a determination that a cause corresponding to a limit associated with the faulty packet is resolved; and
disabling the ipsec accelerator software module in response to the enabling of the ipsec accelerator hardware.
9. The computer programming product of
10. The computer programming product of
11. The computer programming product of
12. The computer programming product of
13. The computer programming product of
14. The computer programming product of
enabling the ipsec accelerator hardware in response to a determination that a cause corresponding to a fault associated with the faulty packet is resolved; and
disabling the ipsec accelerator software module in response to the enabling of the ipsec accelerator hardware.
16. The network adapter of
17. The network adapter of
18. The network adapter of
enabling the ipsec accelerator hardware in response to a determination that a cause corresponding to a fault associated with the faulty packet is resolved; and
disabling the ipsec accelerator software module in response to the enabling of the ipsec accelerator hardware.
|
The claimed subject matter relates generally to network communication and, more specifically, to techniques for controlling Internet Protocol Security (IPSec) offloads in the event of a hardware failure.
Provided are techniques for controlling IPSec offloads in the event of a hardware failure. IPSec is a hardware feature supported by many network adapters. Typically, an outgoing or incoming packet is encapsulated or de-capsulated, respectively, when the packet is transferred by the IP layer to IPSec. While the encapsulation/de-capsulation may be performed in software associated with a network adapter, IPSes offload enables encapsulation/de-capsulation to be performed in specifically designed hardware. Since every packet sent by IP may need IPSes, IPSec offload has the advantage of improving performance.
Provided are techniques for receiving a packet transmitted in conjunction with a security association associated with Internet Protocol Security (IPSec); determining, based upon the security Association that the packet is faulty; incrementing a count corresponding to previous faulty packets received; determining that the count exceeds a threshold; and disabling IPSec accelerator hardware in response to the determining that the count exceeds the threshold.
This summary is not intended as a comprehensive description of the claimed subject matter but, rather, is intended to provide a brief overview of some of the functionality associated therewith. Other systems, methods, functionality, features and advantages of the claimed subject matter will be or will become apparent to one with skill in the art upon examination of the following figures and detailed description.
A better understanding of the claimed subject matter can be obtained when the following detailed description of the disclosed embodiments is considered in conjunction with the following figures, in which:
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational actions to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
If an IPSec offload feature is not operable on any particular hardware, there is currently no way for IPSec software on a corresponding network adapter to adapt and, therefore, all communication over IPSec fails. If an adapter does not support IPSec offload, a user is forced to turn off certain features such as Large Send and Checksum Offload on the adapter because segmentation and checksum recalculation cannot be done by the adapter on IPSec encapsulated packets.
Turning now to the figures,
Also included in computing system 102 and attached to CPU 104 is a computer-readable storage medium (CRSM) 112, which may either be incorporated into client system 102 i.e. an internal device, or attached externally to CPU 104 by means of various, commonly available connection devices such as but not limited to, a universal serial bus (USB) port (not shown). CRSM 112 is illustrated storing an operating system 114 that includes an Internet Protocol security module (IPSM) 116.
Computing system 102 also includes a device driver (DD) 118, a network adapter 120, an Offload Control module (OLC) 121 and an Offload engine (OLE) 122. Functionality associated with DD 118, network adapter 120, OLC 121 and OLE 122 is explained in more detail below in conjunction with
Client system 102 and CPU 104 are connected to the Internet 126, which is also connected to a second computing system, i.e. a computing system_2 132. Although in this example, client system_1 102 and computing system_2 122 are communicatively coupled via the Internet 126, they could also be coupled through any number of communication mediums such as, but not limited to, a local area network (LAN) (not shown). Computing system_2 132 includes a CPU 134, a DD 136, a network adapter 140, an OLC 141, an OLE 142 and a CRSM 142, like elements 104, 118, 120-122 and 112 of computing system_1 102, respectively. Typically, computing system_2 132 would also include a monitor, keyboard, mouse, OS and IPSM, which, for the sale of simplicity, are not shown. The elements of
I/O module 140 handles communication between OLC 121 and other components of computing system_1 102. Data cache 142 is a data repository for information, including but not limited to logic and parameters, which OLC 121 requires during setup and normal operation. Examples of the types of information stored in data cache 142 include a transmission send (TX) counter 150, a transmission receive (RX) counter 152, OLC logic 154 and OLC configuration 156.
TX counter 150 and RX counter 152 are used to keep track of transmission and receive errors, respectively. OLC logic 154 includes logic for controlling the operation of OLC 121. Like other components of OLC 121, OLC logic 154 may be implemented as hardware, software or a combination of the two. OLC configuration 156 includes information on various operational preferences that have been set. For example, an administrator may set an upper limit on number of either TX or RX errors over a defined period of time that would cause OLC 118 to implement procedures to disable IPSec offloading in accordance with the claimed subject matter.
OLC engine 144 executes logic in OLC logic 154 under control of parameters stored in OLC configuration 156. Components 142, 144, 150, 152, 154 and 156 are described in more detail below in conjunction with
Process 200 starts in a “Begin Setup OLC” block 202 and proceeds immediately to a “Retrieve Parameters” block 204. During processing associated with block 204, various parameters that control the operation of an Operate OLC process (see 250,
During processing associated with an “Initiate Operate OLC process” block 210, a process is initiated to handle the normal processing of OLC 121 (see 250,
Process 250 starts in a “Begin Operate OLC” block 252 and proceeds immediately to a “Receive Packet” block 254. During processing associated with block 254, a packet is received by network adapter 120 (
If, during processing associated with block 256, a determination is made that network adapter in offload capable, control proceeds to an “Offload Enabled?” block 260. During processing associated with block 260, a determination is made as to whether or not network adapter 120, which was determined to have IPSec offload functionality, is currently enabled to execute offload processing. If not, control proceeds to “Return to Adapter” block 258 and processing continues as described herein.
If, during processing associated with block 260, a determination is made that network adapter in offload enabled, control proceeds to a “Process Packet” block 262. Block 262 is described in more detail below in conjunction with
If, during processing associated with block 264, a determination is made that an IPSec error has occurred, control proceeds to an “Increment Counter” block 266. During processing associated with block 266, either a transmission counter or a receive counter (see 150, 152;
If a determination is made that the error limit is exceeded, control proceeds to a “Disable Offload” block 270. During processing associated with block 270, OLC 121 disables OLE 122 and sets an indication in network adapter 120 that indicates this configuration. Control then proceeds to Return to Adapter block 258 and processing continues as described above. If, during processing associated with block 268, a determination is made that the counter does not exceed the limit, control proceeds to block 258 and processing continues as described above.
Finally, process 250 is halted by means of an asynchronous interrupt 272, which passes control to an “End Operate OLC” block 279 in which process 250 is complete. Interrupt 272 is typically generated when the computing system 102, OS or network adapter 120 is halted. During normal operation, process 250 continuously loops through the blocks 254, 256, 258, 260, 262, 264, 266, 268 and 270, processing IPSec packets as they are received.
Process 300 starts in a “Begin Process Packet” block 302 and proceeds immediately to a “Packet Outgoing?” block 304. During processing associated with block 304, a determination is made as to whether or not the received packet (see 254,
If, during processing associated with block 304, a determination is made that the packet received is not an outgoing packet, i.e. an incoming packet, control proceeds to a “Packet Encrypted?” block 316. During processing associated with block 316, a determination is made as to whether or not the incoming packet is encrypted, typically by ascertaining whether or not the packet includes a SA. If so, during processing associated with a “Decrypt Packet” block 318, network adapter 120 decrypts the packet prior to providing the packet to DD 118. During processing associated with a “Generate Receive Frame Structure (RFS) block 320, network adapter 120 provides a new structure called a Receive Frame Descriptor (RFD) structure that includes a field entitled “security status word,” which reflects how adapter 120 has performed an IPSec operation on the packet. The RFD structure includes information such as, but not limited to, the status of a signature, DES and hash, any errors on ESP or AH protocol, an SA ID and SA match. IP security module 116 (
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Mansur, Vishal Ramachandra, Prashanth, Arpana, Singh, Dilip Kumar, Deuri, Kokil Kumar
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
6668282, | Aug 02 2000 | TREND MICRO INCORPORATED | System and method to monitor and determine if an active IPSec tunnel has become disabled |
7644317, | Jun 02 2004 | Cisco Technology Inc | Method and apparatus for fault detection/isolation in metro Ethernet service |
7779272, | Aug 29 2003 | Samsung Electronics Co., Ltd. | Hardware cryptographic engine and encryption method |
7783880, | Nov 12 2004 | Microsoft Technology Licensing, LLC | Method and apparatus for secure internet protocol (IPSEC) offloading with integrated host protocol stack management |
7975180, | Jun 02 2004 | Cisco Technology, Inc. | Method and apparatus for fault detection/isolation in metro ethernet service |
8141126, | Jan 24 2007 | International Business Machines Corporation | Selective IPsec security association recovery |
20030200456, | |||
20100262859, | |||
20120102334, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Nov 02 2011 | DEURI, KOKIL K | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027236 | /0943 | |
Nov 02 2011 | MANSUR, VISHAL R | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027236 | /0943 | |
Nov 02 2011 | PRASHANTH, ARPANA | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027236 | /0943 | |
Nov 02 2011 | SINGH, DELIP K | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 027236 | /0943 | |
Nov 16 2011 | International Business Machines Corporation | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Feb 19 2014 | ASPN: Payor Number Assigned. |
Jul 18 2017 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Jul 19 2021 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Date | Maintenance Schedule |
Mar 25 2017 | 4 years fee payment window open |
Sep 25 2017 | 6 months grace period start (w surcharge) |
Mar 25 2018 | patent expiry (for year 4) |
Mar 25 2020 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 25 2021 | 8 years fee payment window open |
Sep 25 2021 | 6 months grace period start (w surcharge) |
Mar 25 2022 | patent expiry (for year 8) |
Mar 25 2024 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 25 2025 | 12 years fee payment window open |
Sep 25 2025 | 6 months grace period start (w surcharge) |
Mar 25 2026 | patent expiry (for year 12) |
Mar 25 2028 | 2 years to revive unintentionally abandoned end. (for year 12) |